<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/http.h, branch v1.8.2.2</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v1.8.2.2</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v1.8.2.2'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2013-02-04T18:22:36Z</updated>
<entry>
<title>Verify Content-Type from smart HTTP servers</title>
<updated>2013-02-04T18:22:36Z</updated>
<author>
<name>Shawn Pearce</name>
<email>spearce@spearce.org</email>
</author>
<published>2013-01-31T21:02:07Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=4656bf47fca857df51b5d6f4b7b052192b3b2317'/>
<id>urn:sha1:4656bf47fca857df51b5d6f4b7b052192b3b2317</id>
<content type='text'>
Before parsing a suspected smart-HTTP response verify the returned
Content-Type matches the standard. This protects a client from
attempting to process a payload that smells like a smart-HTTP
server response.

JGit has been doing this check on all responses since the dawn of
time. I mistakenly failed to include it in git-core when smart HTTP
was introduced. At the time I didn't know how to get the Content-Type
from libcurl. I punted, meant to circle back and fix this, and just
plain forgot about it.

Signed-off-by: Shawn Pearce &lt;spearce@spearce.org&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>http: do not set up curl auth after a 401</title>
<updated>2012-10-12T16:45:15Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2012-10-12T07:35:59Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=1960897ebc5a899a8e4ec3c2afc1d2325574fe41'/>
<id>urn:sha1:1960897ebc5a899a8e4ec3c2afc1d2325574fe41</id>
<content type='text'>
When we get an http 401, we prompt for credentials and put
them in our global credential struct. We also feed them to
the curl handle that produced the 401, with the intent that
they will be used on a retry.

When the code was originally introduced in commit 42653c0,
this was a necessary step. However, since dfa1725, we always
feed our global credential into every curl handle when we
initialize the slot with get_active_slot. So every further
request already feeds the credential to curl.

Moreover, accessing the slot here is somewhat dubious. After
the slot has produced a response, we don't actually control
it any more.  If we are using curl_multi, it may even have
been re-initialized to handle a different request.

It just so happens that we will reuse the curl handle within
the slot in such a case, and that because we only keep one
global credential, it will be the one we want.  So the
current code is not buggy, but it is misleading.

By cleaning it up, we can remove the slot argument entirely
from handle_curl_result, making it much more obvious that
slots should not be accessed after they are marked as
finished.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>http: fix segfault in handle_curl_result</title>
<updated>2012-10-12T16:42:31Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2012-10-12T06:22:49Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=188923f0d1c8148415b3173986cd1e21871c947e'/>
<id>urn:sha1:188923f0d1c8148415b3173986cd1e21871c947e</id>
<content type='text'>
When we create an http active_request_slot, we can set its
"results" pointer back to local storage. The http code will
fill in the details of how the request went, and we can
access those details even after the slot has been cleaned
up.

Commit 8809703 (http: factor out http error code handling)
switched us from accessing our local results struct directly
to accessing it via the "results" pointer of the slot. That
means we're accessing the slot after it has been marked as
finished, defeating the whole purpose of keeping the results
storage separate.

Most of the time this doesn't matter, as finishing the slot
does not actually clean up the pointer. However, when using
curl's multi interface with the dumb-http revision walker,
we might actually start a new request before handing control
back to the original caller. In that case, we may reuse the
slot, zeroing its results pointer, and leading the original
caller to segfault while looking for its results inside the
slot.

Instead, we need to pass a pointer to our local results
storage to the handle_curl_result function, rather than
relying on the pointer in the slot struct. This matches what
the original code did before the refactoring (which did not
use a separate function, and therefore just accessed the
results struct directly).

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>http: factor out http error code handling</title>
<updated>2012-08-27T17:49:09Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2012-08-27T13:26:04Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=88097030725bf68d1801559cfb4785b93a50f5f8'/>
<id>urn:sha1:88097030725bf68d1801559cfb4785b93a50f5f8</id>
<content type='text'>
Most of our http requests go through the http_request()
interface, which does some nice post-processing on the
results. In particular, it handles prompting for missing
credentials as well as approving and rejecting valid or
invalid credentials. Unfortunately, it only handles GET
requests. Making it handle POSTs would be quite complex, so
let's pull result handling code into its own function so
that it can be reused from the POST code paths.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>correct spelling: an URL -&gt; a URL</title>
<updated>2012-03-28T15:47:23Z</updated>
<author>
<name>Jim Meyering</name>
<email>jim@meyering.net</email>
</author>
<published>2012-03-28T08:41:54Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=a7793a749115ead3b8f7447ce1e96572ea5d8ea3'/>
<id>urn:sha1:a7793a749115ead3b8f7447ce1e96572ea5d8ea3</id>
<content type='text'>
Signed-off-by: Jim Meyering &lt;meyering@redhat.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'jk/maint-push-over-dav'</title>
<updated>2011-12-20T00:05:59Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2011-12-20T00:05:59Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=1d3a035d6d48bfa870b6ebe7c59f12b66e3a1b1c'/>
<id>urn:sha1:1d3a035d6d48bfa870b6ebe7c59f12b66e3a1b1c</id>
<content type='text'>
* jk/maint-push-over-dav:
  http-push: enable "proactive auth"
  t5540: test DAV push with authentication

Conflicts:
	http.c
</content>
</entry>
<entry>
<title>http-push: enable "proactive auth"</title>
<updated>2011-12-14T00:34:44Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2011-12-14T00:11:56Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=a4ddbc33d7906f0e10c68c140a9a1003d9715a77'/>
<id>urn:sha1:a4ddbc33d7906f0e10c68c140a9a1003d9715a77</id>
<content type='text'>
Before commit 986bbc08, git was proactive about asking for
http passwords. It assumed that if you had a username in
your URL, you would also want a password, and asked for it
before making any http requests.

However, this could interfere with the use of .netrc (see
986bbc08 for details). And it was also unnecessary, since
the http fetching code had learned to recognize an HTTP 401
and prompt the user then. Furthermore, the proactive prompt
could interfere with the usage of .netrc (see 986bbc08 for
details).

Unfortunately, the http push-over-DAV code never learned to
recognize HTTP 401, and so was broken by this change. This
patch does a quick fix of re-enabling the "proactive auth"
strategy only for http-push, leaving the dumb http fetch and
smart-http as-is.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'mf/curl-select-fdset'</title>
<updated>2011-12-05T23:10:28Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2011-12-05T23:10:28Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=c4c9a63b5434d008fdbfc8c41240d642cbe5147e'/>
<id>urn:sha1:c4c9a63b5434d008fdbfc8c41240d642cbe5147e</id>
<content type='text'>
* mf/curl-select-fdset:
  http: drop "local" member from request struct
  http.c: Rely on select instead of tracking whether data was received
  http.c: Use timeout suggested by curl instead of fixed 50ms timeout
  http.c: Use curl_multi_fdset to select on curl fds instead of just sleeping
</content>
</entry>
<entry>
<title>http: drop "local" member from request struct</title>
<updated>2011-11-04T19:05:01Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2011-11-04T17:53:33Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=093c44a3600323c3ca7a8d28a0d2ba2bc145dd47'/>
<id>urn:sha1:093c44a3600323c3ca7a8d28a0d2ba2bc145dd47</id>
<content type='text'>
This is a FILE pointer in the case that we are sending our
output to a file. We originally used it to run ftell() to
determine whether data had been written to our file during
our last call to curl. However, as of the last patch, we no
longer care about that flag anymore. All uses of this struct
member are now just book-keeping that can go away.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>http.c: Rely on select instead of tracking whether data was received</title>
<updated>2011-11-04T17:47:13Z</updated>
<author>
<name>Mika Fischer</name>
<email>mika.fischer@zoopnet.de</email>
</author>
<published>2011-11-04T14:19:27Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=df26c471278f13ca6ad96b12a533ef4172323c13'/>
<id>urn:sha1:df26c471278f13ca6ad96b12a533ef4172323c13</id>
<content type='text'>
Since now select is used with the file descriptors of the http connections,
tracking whether data was received recently (and trying to read more in
that case) is no longer necessary. Instead, always call select and rely on
it to return as soon as new data can be read.

Signed-off-by: Mika Fischer &lt;mika.fischer@zoopnet.de&gt;
Helped-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
